USER-CONVENIENT AUTHENTICATION METHOD AND APPARATUS USING A MOBILE AUTHENTICATION APPLICATION

US 20140040628A1
Filed: 08/02/2013
Published: 02/06/2014
Est. Priority Date: 08/03/2012
Status: Active Grant

First Claim

Patent Images

1. A method for securing interaction with an application by a user who remotely accesses said application through an access device that is connected to an application server hosting said application, comprising the steps of:

at a user authentication device capturing a signal emitted by the access device, said signal encoded with an authentication initiating message, said authenticating initiating message comprising at least an application identifier corresponding to an identity of the application;

at the user authentication device decoding said signal and obtaining the authentication initiating message;

at the user authentication device retrieving from the authentication initiating message the application identifier;

at the user authentication device using the application identifier to obtain a human interpretable representation of the application identity and presenting the obtained application identity representation to the user using a user output interface of the user authentication device;

at the user authentication device obtaining from the user, using a user input interface of the user authentication device, an approval for generating a response message and making the response message available to a verification server;

at the user authentication device generating a dynamic security value using a first cryptographic algorithm parameterized with a cryptographic dynamic security value generation key and using at least one personalized data element that is associated with the particular user or the particular user authentication device, wherein the generated dynamic security value is cryptographically linked to the application identity presented to the user;

at the user authentication device generating a response message comprising at least the generated dynamic security value;

making the generated response message available to a verification server;

at the verification server receiving the response message;

verifying the response message including verifying the validity of the dynamic security value;

communicating the result of the verification of the response message to the application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus, and systems for securing application interactions are disclosed. Application interactions may be secured by, at a user authentication device, capturing a signal emitted by an access device encoded with an authentication initiating message including an application identifier, decoding the signal and obtaining the authentication initiating message, retrieving the application identifier, presenting a human interpretable representation of the application identity to the user, obtaining user approval to generate a response message available to a verification server, generating a dynamic security value using a cryptographic algorithm that is cryptographically linked to the application identity, and generating a response message including the generated dynamic security value; making the response message available to a verification server; and, at the verification server, receiving the response message, verifying the response message including verifying the validity of the dynamic security value, and communicating the result of the verification of the response message to the application.

482 Citations

18 Claims

1. A method for securing interaction with an application by a user who remotely accesses said application through an access device that is connected to an application server hosting said application, comprising the steps of:
- at a user authentication device capturing a signal emitted by the access device, said signal encoded with an authentication initiating message, said authenticating initiating message comprising at least an application identifier corresponding to an identity of the application;
  
  at the user authentication device decoding said signal and obtaining the authentication initiating message;
  
  at the user authentication device retrieving from the authentication initiating message the application identifier;
  
  at the user authentication device using the application identifier to obtain a human interpretable representation of the application identity and presenting the obtained application identity representation to the user using a user output interface of the user authentication device;
  
  at the user authentication device obtaining from the user, using a user input interface of the user authentication device, an approval for generating a response message and making the response message available to a verification server;
  
  at the user authentication device generating a dynamic security value using a first cryptographic algorithm parameterized with a cryptographic dynamic security value generation key and using at least one personalized data element that is associated with the particular user or the particular user authentication device, wherein the generated dynamic security value is cryptographically linked to the application identity presented to the user;
  
  at the user authentication device generating a response message comprising at least the generated dynamic security value;
  
  making the generated response message available to a verification server;
  
  at the verification server receiving the response message;
  
  verifying the response message including verifying the validity of the dynamic security value;
  
  communicating the result of the verification of the response message to the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein the response message further comprises a data element that is indicative of an identity of the user or an identity of the user authentication device and wherein said data element indicative of the user identity or the user authentication device identity is used to determine a user identity and wherein said user identity is also communicated to the application.
  - 3. The method of claim 2 wherein the user identity is determined also as a function of the application identity.
  - 4. The method of claim 1 wherein all application dependent data used to obtain the application identity representation are obtained by the user authentication device from a source external to the user authentication device or from the authentication initiating message.
  - 5. The method of claim 1 further comprising the steps of:
    - generating a server credential to be included in the authentication initiating message, said generating using a second cryptographic algorithm parameterized with a cryptographic server credential generation key;
      
      at the user authentication device retrieving from the authentication initiating message the included server credential;
      
      at the user authentication device verifying the server credential using a third cryptographic algorithm parameterized with a cryptographic server credential verification key.
  - 6. The method of claim 5 wherein the application identifier comprised in the authentication initiating message is cryptographically linked to the server credential.
  - 7. The method of claim 1 wherein the step of generating a response message further comprises:
    - at the user authentication device including in the response message generated by the user authentication device a data element indicative of the application identity representation presented to the user.
  - 8. The method of claim 7 further comprising:
    - at the verification server verifying whether the data element that is indicative of the application identity representation presented to the user is consistent with the application identity indicated by the application identifier comprised in the authentication initiating message.
  - 9. The method of claim 1 further comprising the steps of:
    - at the user authentication device retrieving from the authentication initiating message transaction related data comprised in the authentication initiating message;
      
      at the user authentication device presenting the retrieved transaction related data using a user output interface of the user authentication device; and
      
      wherein the generated dynamic security value is cryptographically linked to the transaction related data.
  - 10. The method of claim 9 further comprising the steps of:
    - generating a server credential to be included in the authentication initiating message, said generating using a second cryptographic algorithm parameterized with a cryptographic server credential generation key;
      
      at the user authentication device retrieving from the authentication initiating message the included server credential;
      
      at the user authentication device verifying the server credential using a third cryptographic algorithm parameterized with a cryptographic server credential verification key;
      
      wherein the server credential is cryptographically linked to the transaction related data.
  - 11. The method of claim 9 further comprising the steps of:
    - at the user authentication device including in the response message generated by the user authentication device data elements indicative of the transaction related data presented to the user; and
      
      at the verification server verifying whether the data elements that are indicative of the transaction related data presented to the user are consistent with the transaction related data comprised in the authentication initiating message.
  - 12. The method of claim 1 whereinthe dynamic security value generation key comprises a secret personalized key;
    - and whereinthe user authentication device calculates the dynamic security value by cryptographically combining the dynamic security value generation key with at least a dynamic input value; and
      
      whereinsaid dynamic input value comprises at least one of a time-related value provided by a time-mechanism in the user authentication device, a counter-related value stored and maintained by the user authentication device, or a challenge comprised in the authentication initiating message.
  - 13. The method of claim 12 wherein the user authentication device calculates the dynamic security value by cryptographically combining the dynamic security value generation key also with a data element that is indicative of the application identity representation presented to the user.
  - 14. The method of claim 12 wherein:
    - the user authentication device retrieves from the authentication initiating message transaction related data comprised in the authentication initiating message and presents these transaction related data to the user; and
      
      whereinthe user authentication device calculates the dynamic security value by cryptographically combining the dynamic security value generation key also with data elements that are indicative of the transaction related data presented to the user.

15. An apparatus for generating authentication credentials comprising:
- a processing component adapted for processing data;
  
  a storage component for storing data;
  
  a user interface component comprising a first user output interface for presenting outputs to a user and an input user interface for receiving input from the user; and
  
  a data input interface adapted to capture a signal emitted by a second user output interface of an access device that the user is using for remotely accessing an application over a computer network, said signal encoded with an authentication initiating message, said authenticating initiating message comprising at least an application identifier corresponding to an identity of said application;
  
  whereby the apparatus is adapted to decode said signal and obtain the authentication initiating message;
  
  retrieve from the authentication initiating message the application identifier;
  
  use the application identifier to obtain a human interpretable representation of the application identity and present the obtained application identity representation to the user using the first user output interface;
  
  obtain from the user, using the user input interface, an approval for generating a response message and making the response message available to a verification server;
  
  generate a dynamic security value using a first cryptographic algorithm parameterized with a cryptographic dynamic security value generation key and using at least one personalized data element that is associated with the user or the apparatus, wherein the generated dynamic security value is cryptographically linked to the application identity presented to the user; and
  
  generate a response message comprising at least the generated dynamic security value.
- View Dependent Claims (16, 17, 18)
- - 16. The apparatus of claim 15 further adapted to present the generated response message to the user using the first user output interface.
  - 17. The apparatus of claim 15 further comprising a data communications interface adapted to communicate said response message to a verification server.
  - 18. A system for securing interaction with an application by a user who remotely accesses said application through an access device that is connected to an application server hosting said application, comprising:
    - a plurality of user authentication devices as claimed in claim 15; and
      
      a verification server adapted to receive a response message generated by any of the plurality of user authentication devices, and adapted to verify the received response message including verifying the validity of the dynamic security value comprised in the response message, and adapted to communicate the result of the verification of the response message to the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Onespan North America Incorporated (OneSpan, Inc.)
Original Assignee
Vasco Data Security Incorporated (OneSpan, Inc.)
Inventors
Coulier, Frank, FORT, NICOLAS, Teixeron, Guilaume

Granted Patent

US 9,710,634 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/36   by graphic or iconic repres...

G06F 21/606   by securing the transmissio...

G09C 5/00   Ciphering apparatus or meth...

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

H04L 63/18   using different networks or...

H04L 9/3215   using a plurality of channe...

H04L 9/3228   One-time or temporary data,...

H04L 9/3234   involving additional secure...

H04W 12/06   Authentication

H04W 12/77   Graphical identity

USER-CONVENIENT AUTHENTICATION METHOD AND APPARATUS USING A MOBILE AUTHENTICATION APPLICATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

482 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

USER-CONVENIENT AUTHENTICATION METHOD AND APPARATUS USING A MOBILE AUTHENTICATION APPLICATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

482 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links